Python: Implement and use mayHaveAttributeName

2025-12-20 10:46:30 +01:00 · 2020-10-08 14:53:54 +02:00
parent b905a3d5e3
commit e9ecc00b37
2 changed files with 11 additions and 3 deletions
--- a/python/ql/src/experimental/dataflow/TypeTracker.qll
+++ b/python/ql/src/experimental/dataflow/TypeTracker.qll
@@ -116,7 +116,7 @@ predicate returnStep(ReturnNode nodeFrom, Node nodeTo) {
 */
 predicate basicStoreStep(Node nodeFrom, Node nodeTo, string attr) {
  exists(AttrWrite a |
-    a.getAttributeName() = attr and
+    a.mayHaveAttributeName(attr) and
    nodeFrom = a.getValue() and
    simpleLocalFlowStep*(nodeTo, a.getObject())
  )
@@ -127,7 +127,7 @@ predicate basicStoreStep(Node nodeFrom, Node nodeTo, string attr) {
 */
 predicate basicLoadStep(Node nodeFrom, Node nodeTo, string attr) {
  exists(AttrRead a |
-    attr = a.getAttributeName() and
+    a.mayHaveAttributeName(attr) and
    nodeFrom = a.getObject() and
    nodeTo = a
  )
--- a/python/ql/src/experimental/dataflow/internal/Attributes.qll
+++ b/python/ql/src/experimental/dataflow/internal/Attributes.qll
@@ -1,5 +1,6 @@
 /** This module provides an API for attribute reads and writes. */

+import DataFlowUtil
 import DataFlowPublic
 private import DataFlowPrivate

@@ -22,7 +23,14 @@ abstract class AttrRef extends Node {
  abstract ExprNode getAttributeNameExpr();

  /** Holds if this attribute reference may access an attribute named `attrName`. */
-  predicate mayHaveAttributeName(string attrName) { none() }
+  predicate mayHaveAttributeName(string attrName) {
+    attrName = this.getAttributeName()
+    or
+    exists(Node nodeFrom |
+      localFlow(nodeFrom, this.getAttributeNameExpr()) and
+      attrName = nodeFrom.asExpr().(StrConst).getText()
+    )
+  }

  /** Gets the name of the attribute being read or written, if it can be determined statically. */
  abstract string getAttributeName();